News

Another Zero-Day Java Flaw Discovered

For the second time in less than a month, researchers have discovered a "critical" zero-day issue with Oracle's Java plugin.

Adam Gowdiak, CEO of security firm Security Explorations, discovered the flaw that can be exploited to bypass Java's security sandbox. Once leveraged, malware can be remotely installed on a targeted machine.

"The impact of this issue is critical -- we were able to successfully exploit it and achieve a complete Java security sandbox bypass in the environment of Java SE 5, 6 and 7," wrote Gowdiak in a Full Disclosure security newsletter.

He also commented that anyone running the Java plugin is vulnerable to attack, no matter what OS or Web browser used, and that Oracle needs to move quickly to fix the situation.

"We hope that a news about one billion users of Oracle Java SE software [3] being vulnerable to yet another security flaw is not gonna spoil the taste of Larry Ellison's [4] morning...Java," wrote Gowdiak.

Gowdiak's security team tested the vulnerability and was able to leverage the flaw it on both Windows- and Mac-based machines. Exploitation was also successful using Firefox 15.0, Google Chrome 21.0, Internet Explorer 9, Opera 12.02 and Safari 5.1 Web browsers.   

Specific details on the vulnerability have been forwarded to Oracle by the security team.

The Security Explorations team was also responsible for finding a flaw in Java Version 7 Update 7 earlier this month. The vulnerability, which was found one day after the release of the out-of-band update, also could be leveraged by bypassing the security features in Java's security sandbox. Gowdiak also said that he had reported 30 vulnerabilities earlier that year to Java -- with many still unfixed.

Oracle has remained quiet on the disclosure of the new vulnerability, and it is unclear whether a fix will come in the form of an out-of-band patch or be part of Oracle's quarterly Java update, scheduled for Oct. 16.

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

  • Most Microsoft Retail Locations To Shut Down

    Microsoft is pivoting its retail operations to focus more on online sales, a plan that would mean the closing of most physical Microsoft Store locations.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.